icedid | 53ae67abfc5065a0a7a9d1e7045d06496dc7aa7c6eabd851514a457d3e7f0e61

General

Target

core.bat
Size

184B
MD5

58bf5ed00d983d8269d9f2e31e6586e8
SHA1

664e4ea375e9066d82e7d3baa167f0bb024a7c1f
SHA256

22adba0cadd8772ecf2190561fe86e9ad8609b01783a90c8f9635fd1dcba872c
SHA512

68688d606733f4844fcaeff76b7b3577739b008ba8fd93f28b23999a81f42ae417938245bd9f620c15161ec085dd3de7b51c016526ea3109dcbb142f0f5cdc14

Score

10^/10

icedid banker trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

68 1864 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3528 rundll32.exe

flow	pid	process
68	1864	rundll32.exe

pid	process
3528	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897708220800396"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.499794"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "24.981374"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.612917"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{7422A187-B701-4438-F3B2-08CCD57253D9}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{7422A187-B701-4438-F3B2-08CCD57253D9}\ = eed49088a2a3248cbcfdd4f82a6979844273a7b248b77d3911f50b4c9ebd797a693eecc57def76e4b55f62629256b4d69ce1ad5f16cab14dbb744d4d6e0e7953ce4d68e03cc83c53c59bdae0385b75f6cd10642273450e6d41472f5349f3d413732dbe2c883deb2be4221a79f5137496b46c61f25977d08f8f4d1a0d125e26bd3346595b599346a67ea41a76254f5a47c58d66db8f99e195a792042f49ac7fa40872b65d277758c59a27564620de9612a1ff7d301cc08ebd0aae08cdf8	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe
Token: SeRestorePrivilege	2708	TiWorker.exe
Token: SeSecurityPrivilege	2708	TiWorker.exe
Token: SeBackupPrivilege	2708	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3940 wrote to memory of 1864 3940 cmd.exe rundll32.exe
PID 3940 wrote to memory of 1864 3940 cmd.exe rundll32.exe

description	pid	process	target process
PID 3940 wrote to memory of 1864	3940	cmd.exe	rundll32.exe
PID 3940 wrote to memory of 1864	3940	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\grunt_64.tmp,DllMain /i="license.dat"
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1864

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3248

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Admin\Admin\Jimeub.dll",DllMain --ceok="license.dat"
1⤵
- Loads dropped DLL
PID:3528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1308

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Admin\Admin\Jimeub.dll

MD5
71b55520f446691cbafd5902bb2a9085

SHA1
b08d479327b9e4b66c68bdf2aeb85a9902f2b71d

SHA256
1dcdb11c5355c7afc49931293ac7f433286d33ab81b4713033243f6732a31d79

SHA512
38bb4cf645b44188f9c4a71e8ece4f9a01701dcd3d5f458b273b2ac9b0fbc65f8e3e6938e6c2bd05ee30aeffa03882e6da1d1569811d7e0d589cac4eb9c91899

Download Submit
C:\Users\Admin\AppData\Local\Admin\Admin\Jimeub.dll

MD5
71b55520f446691cbafd5902bb2a9085

SHA1
b08d479327b9e4b66c68bdf2aeb85a9902f2b71d

SHA256
1dcdb11c5355c7afc49931293ac7f433286d33ab81b4713033243f6732a31d79

SHA512
38bb4cf645b44188f9c4a71e8ece4f9a01701dcd3d5f458b273b2ac9b0fbc65f8e3e6938e6c2bd05ee30aeffa03882e6da1d1569811d7e0d589cac4eb9c91899

Download Submit
C:\Users\Admin\AppData\Roaming\license.dat

MD5
7eb64145636d2e8343d9077f15c11022

SHA1
c0b221ca05431092bc1c789a33d199124c8fec1c

SHA256
96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

SHA512
53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1864-131-0x000002A3A6A80000-0x000002A3A6AD9000-memory.dmp

Filesize
356KB

Download
memory/1864-132-0x000002A3A50A0000-0x000002A3A50A6000-memory.dmp

Filesize
24KB

Download
memory/3528-135-0x00000220629C0000-0x0000022062A19000-memory.dmp

Filesize
356KB

Download
memory/3528-137-0x0000022062970000-0x0000022062976000-memory.dmp

Filesize
24KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads